Trait luya\admin\traits\AdminRestBehaviorTrait

Implemented byluya\admin\apis\ApiUserController, luya\admin\apis\CommonController, luya\admin\apis\ConfigController, luya\admin\apis\EffectController, luya\admin\apis\FilterController, luya\admin\apis\GroupController, luya\admin\apis\LangController, luya\admin\apis\LoggerController, luya\admin\apis\MenuController, luya\admin\apis\NgrestLogController, luya\admin\apis\PropertyController, luya\admin\apis\ProxyBuildController, luya\admin\apis\ProxyMachineController, luya\admin\apis\QueueLogController, luya\admin\apis\QueueLogErrorController, luya\admin\apis\SearchController, luya\admin\apis\StorageController, luya\admin\apis\StorageImageController, luya\admin\apis\TagController, luya\admin\apis\TimestampController, luya\admin\apis\UserController, luya\admin\base\RestActiveController, luya\admin\base\RestController, luya\admin\ngrest\base\Api, luya\cms\admin\apis\AdminController, luya\cms\admin\apis\BlockController, luya\cms\admin\apis\BlockgroupController, luya\cms\admin\apis\LayoutController, luya\cms\admin\apis\LogController, luya\cms\admin\apis\MenuController, luya\cms\admin\apis\NavContainerController, luya\cms\admin\apis\NavController, luya\cms\admin\apis\NavItemBlockController, luya\cms\admin\apis\NavItemController, luya\cms\admin\apis\NavItemPageBlockItemController, luya\cms\admin\apis\NavItemPageController, luya\cms\admin\apis\RedirectController, luya\cms\admin\apis\ThemeController, luya\cms\admin\apis\WebsiteController
Available since version2.1.0

A trait for LUYA admin rest behaviors.

Implemented by

  • {{luya\admin\base\RestActiveController}}
  • {{luya\admin\base\RestController}}

Public Methods

Hide inherited methods

Method Description Defined By
behaviors() Override the default {{yii\rest\Controller::behaviors()}} method. luya\admin\traits\AdminRestBehaviorTrait
canApiUserAccess() If the current user is an API user this action might be not permitted. As Api Users also acts as proxy for JWT authenticated users sensitive informations could be exposed. luya\admin\traits\AdminRestBehaviorTrait
getCompositeAuthMethods() Return all Auth methods for Composite Auth. luya\admin\traits\AdminRestBehaviorTrait
init() Initializes the object. luya\admin\traits\AdminRestBehaviorTrait
isActionAuthOptional() Wether the given action id does not required authentication or not. luya\admin\traits\AdminRestBehaviorTrait
userAuthClass() Get the current user auth object. luya\admin\traits\AdminRestBehaviorTrait

Method Details

Hide inherited methods

behaviors() public method

Override the default {{yii\rest\Controller::behaviors()}} method.

The following changes are differ to the base implementation:

  • If {{luya\rest\UserBehaviorInterface}} is not implemented, the authenticator behavior ({{yii\filters\auth\CompositeAuth}}) is removed.
  • If {{luya\rest\UserBehaviorInterface}} is implemented, the authenticator behavior ({{yii\filters\auth\CompositeAuth}}) is enabled.
  • If {{luya\rest\UserBehaviorInterface}} is implemented, the contentNegotiator behavior ({{yii\filters\ContentNegotiator}}) is enabled.
  • The rateLimiter behavior filter is removed by default.
public array behaviors ( )
return array

Returns an array with registered behavior filters based on the implementation type.

                public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors[] = [
        'class' => UserRequestBehavior::class,
    ];
    return $behaviors;
}

            
canApiUserAccess() public method (available since version 2.2.0)

If the current user is an API user this action might be not permitted. As Api Users also acts as proxy for JWT authenticated users sensitive informations could be exposed.

For example a JWT authenticated user proxied trough Api User could access admin/api-admin-user/session as the {{luya\admin\apis\UserController::actionSession()}} is only secured through authentification and not trough a given permission (let's say "view my session data").

As Api Users are not allowed to login the don't need access to those generic admin ui API endpoints, this method checks if the current user is an api user and therefore restricsts the access to such calls, unless the property {{luya\admin\Module::$apiUserAllowActionsWithoutPermissions}} is enabled.

public void canApiUserAccess ( )

                public function canApiUserAccess()
{
    if ($this->userAuthClass()->identity->is_api_user && !$this->_module->apiUserAllowActionsWithoutPermissions) {
        throw new ForbiddenHttpException("This controller ({$this->id}) action is forbidden for API users unless apiUserAllowActionsWithoutPermissions is enabled in admin module config.");
    }
}

            
getCompositeAuthMethods() public method (available since version 1.0.21)

Return all Auth methods for Composite Auth.

public array getCompositeAuthMethods ( )

                public function getCompositeAuthMethods()
{
    $methods = parent::getCompositeAuthMethods();
    // if the jwt component is registered, authentication will be enabled.
    if (Yii::$app->get('jwt', false)) {
        array_unshift($methods, [
            'class' => 'bizley\jwt\JwtHttpBearerAuth',
            'auth' => [Yii::$app->jwt, 'authenticateUser'],
            'throwException' => false,
        ]);
    }
    return $methods;
}

            
init() public method (available since version 2.0.36)

Initializes the object.

This method is invoked at the end of the constructor after the object is initialized with the given configuration.

This method is invoked at the end of the constructor after the object is initialized with the given configuration.

public void init ( )

                public function init()
{
    parent::init();
    $this->_module = AdminModule::getInstance();
    $this->enableCors = $this->_module->cors;
    $this->jsonCruft = $this->_module->jsonCruft;
    // pass all the luya admin languages to the content negoiator, the default language must be the first
    // element in the array.
    $this->languages = [Yii::$app->composition->langShortCode];
    foreach (Yii::$app->adminLanguage->languages as $lang) {
        array_push($this->languages, $lang['short_code']);
    }
    // disable session for rest usage
    Yii::$app->adminuser->enableSession = false;
}

            
isActionAuthOptional() public method (available since version 2.2.0)

Wether the given action id does not required authentication or not.

{@since 3.6.0} this will also return true when cors is enabled and the request method is OPTIONS. As the optional actions list is passed to the authenticator behavior, this is the place where authentication happens and is done anyhow before isActionAuthOptional() is used in beforeAction()` checks.

public boolean isActionAuthOptional ( $actionId )
$actionId string

                public function isActionAuthOptional($actionId)
{
    if ($this->enableCors && Yii::$app->request->isOptions) {
        return true;
    }
    return in_array($actionId, $this->authOptional);
}

            
userAuthClass() public method

Get the current user auth object.

public luya\admin\components\AdminUser userAuthClass ( )

                public function userAuthClass()
{
    return Yii::$app->adminuser;
}